Authenticator Archives

Winsage

November 27, 2025

Microsoft Security Keys May Require a PIN After Recent Windows Updates

Microsoft has updated Windows to require users to create and configure a PIN for FIDO2 security keys during sign-in, even if they did not set one during initial registration. This requirement applies to users who install the Windows preview update released on September 29, 2025 (KB5065789, OS Builds 26200.6725 and 26100.6725) or later updates. The necessity for a PIN is triggered when a Relying Party (RP) or Identity Provider (IDP) requests User Verification set to “Preferred.” The update aims to ensure compliance with WebAuthn specifications and began rolling out gradually on Windows 11 devices after the September 29, 2025 update, with full deployment completed by the November 11, 2025 security update (KB5068861, OS Builds 26200.7171 and 26100.7171). Windows now supports three verification settings: Discouraged, Preferred, and Required, with “Preferred” indicating that user verification should occur if supported by the authenticator.

Winsage

November 26, 2025

Microsoft: Security keys may prompt for PIN after recent updates

Microsoft issued a notice to users about a new behavior related to FIDO2 security keys following Windows updates since the September 2025 preview update. This change affects devices on Windows 11 versions 24H2 or 25H2, where users may be prompted to enter a PIN during authentication. The adjustment aligns with WebAuthn specifications, which outline protocols for authentication methods, including PINs and biometrics. User verification can be categorized as discouraged, preferred, or required, with "preferred" necessitating a PIN setup if supported by the authenticator. The rollout began after the KB5065789 preview update and was completed with the November KB5068861 security update. Microsoft stated that after installing the September 29, 2025 update, users might need to create a PIN to sign in with a security key, even if it was not required during initial registration. This behavior occurs when a Relying Party or Identity Provider requests User Verification = Preferred during authentication with a FIDO2 security key lacking a PIN. Organizations can opt to adjust the user verification setting to "discouraged" if they do not want to require users to create or enter PINs. FIDO2 security keys enable passwordless authentication by requiring the physical presence of a USB, NFC, or Bluetooth token, gaining popularity as organizations seek to reduce risks associated with traditional passwords.

Winsage

November 17, 2025

Windows 11 users just got a more convenient way to store passkeys – here’s how it works

The technology behind passkeys involves cryptographic keys and standards like FIDO2 and WebAuthn, but users can enhance their security by creating passkeys whenever offered by websites or apps, using face recognition, fingerprints, or PINs. Users can accumulate multiple passkeys for easier sign-in across services. 1Password is set to integrate a new native passkeys plugin API with Windows 11, allowing users to manage passkeys through 1Password while using Windows Hello for authentication. This integration requires the latest version of Windows 11 and the MSIX version of the 1Password app. Users can enable the passkey feature in 1Password and designate it as the system authenticator in Windows settings. Other password managers may also adopt this integration, and Windows is introducing its own passkey sync mechanism through the Microsoft Password Manager in Edge. Passkeys do not replace existing credentials but serve as a secure alternative to usernames and passwords, with some services offering fully passwordless options.

Winsage

November 11, 2025

1Password can now save passkeys directly in Windows 11

A new Windows API allows third-party applications to manage passkeys more effectively, with 1Password being the first password manager to adopt this innovation. The integration enables 1Password to act as the credential manager on Windows 11, allowing users to create and manage passkeys easily while using Windows Hello for authentication. This feature is available to anyone running the latest version of Windows 11 and the newly released MSIX version of the 1Password app. Users can enable the passkey feature through the 1Password application or manually in Windows settings. Once configured, Windows will use the selected credential manager instead of its default settings. Other password managers like Bitwarden and Dashlane may follow with similar support. Passkeys serve as a convenient alternative to traditional username and password combinations but do not replace existing credentials.

AppWizard

November 9, 2025

12 apps I urge non-techies to install on their Android phones

The preinstalled Android apps on smartphones may not meet the needs of all users, especially those who are less tech-savvy. Alternative apps can enhance the smartphone experience. TeamViewer allows remote troubleshooting by connecting to others' devices for assistance. Vivaldi offers a customizable browsing experience with ad-blocking and privacy features, while Microsoft Edge is a good option for Windows users. Google Wallet simplifies mobile payments and serves as a digital wallet for various cards. Nobook is a lightweight alternative to the Facebook app, providing faster load times and a streamlined experience. Bitwarden is a password manager that securely stores passwords with one master password, promoting the use of complex passwords. Google Authenticator provides multi-factor authentication by storing 2FA codes securely. Localsend facilitates large file transfers over Wi-Fi networks. Google Photos offers 15GB of free storage for image backup, and Google Gallery helps manage images easily. Tubular provides an ad-free YouTube experience, while Files by Google simplifies file management with categorization and a secure Safe Folder. Gboard enhances typing efficiency with features like autocomplete and swipe typing.

Tech Optimizer

October 24, 2025

Why Aren’t Antivirus Programs Enough To Protect Crypto?

Cryptocurrency has introduced a decentralized approach to financial transactions, but it faces significant security challenges, including vulnerability to cyberattacks, theft, and fraud. Traditional antivirus software has limitations, such as reliance on signature-based detection, which struggles against emerging and polymorphic malware. Behavioral detection methods also have shortcomings, as stealth malware can disguise itself and conditional activation can evade detection. Fileless malware techniques and human error, such as phishing and weak password hygiene, further complicate security. To enhance security, cryptocurrency users should adopt a multi-layered strategy that includes using hardware wallets for offline storage of private keys, implementing multi-factor authentication (MFA), and utilizing dedicated anti-malware tools. Safe browsing habits and regular software patches are also essential, along with securely backing up private keys.

Tech Optimizer

October 23, 2025

Delete the fake VPN app stealing Android users’ money

Malware targeting Android devices has become more sophisticated, with cybercriminals deploying fake banking applications and phishing campaigns. A recently identified dangerous app, Mobdro Pro IP TV + VPN, introduces a malware strain called Klopatra, which is used in campaigns against financial institutions. This app appears to be a free streaming platform but installs a banking Trojan and remote-access tool, allowing attackers to steal banking credentials and conduct fraudulent transactions. The infection process involves social engineering tactics to trick users into downloading the app from unofficial sources, and Klopatra can bypass Android's security measures. The rise of fake VPNs, like Mobdro, poses a significant risk, as many users rely on VPNs for privacy and security. Users are advised to take protective measures, including downloading apps only from trusted sources, checking app permissions, using secure VPNs, installing strong antivirus software, monitoring accounts, removing suspicious apps, keeping devices updated, changing passwords, enabling two-factor authentication, and reporting malicious apps.

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 15, 2025

Think You’re Safe? Hackers Can Now Peek at Every Password You Type on Android

Android smartphones are being targeted by malware named "Pixnapping," which uses pixel-stealing technology to extract information directly from the screen without requiring elevated permissions. This malware captures repeated background screenshots to read pixels, allowing it to surveil sensitive information such as messages, passwords, and two-factor authentication (2FA) codes. The extracted data is transmitted to a remote server controlled by attackers, enabling them to infiltrate accounts and perform actions like altering settings or making purchases. The malware's effectiveness varies by device, with a recovery rate of 53% for 2FA codes on the Pixel 9 and 73% on the Pixel 6. A vulnerability in Android APIs, designated as CVE-2025-48561, is exploited by this malware. Google was notified of the vulnerability in February and issued a partial fix in September, but the issue remains unresolved. Users are advised to keep their devices updated, enable built-in protections, avoid unverified apps, and consider hardware-based two-factor authentication for enhanced security.

AppWizard

October 15, 2025

Worried About 2FA Codes? Pixnapping on Android Might Steal Them

A new cybersecurity threat called "Pixnapping" has been identified, targeting Android users. This attack can capture sensitive information displayed on a user's screen, such as two-factor authentication codes and chat messages, in under 30 seconds. It operates through a seemingly harmless app that prompts a target application to display confidential content and then analyzes the phone's rendering pipeline pixel by pixel to reconstruct the displayed information. The technique has been successfully demonstrated on Google Pixel devices and Samsung's Galaxy S25, exploiting timing discrepancies in graphics rendering. Google has released a patch (CVE-2025-48561) in September to address this vulnerability, though no real-world exploitation has been reported.